I have many websites like Facebook where we write a email address and we just click a button, from this a list of email address's rolls down.
Can anyone tell me how this is achieved? Can it be done with just HTML or do i need to learn any other language?
This is accomplished using Javascript or AJAX requests to query the databases "live" and the return a data set. If I understand you correctly like on Facebook where you type in a Friends name and it will pull back a full list of names which may be your friends.
Jquery, Ajax, Javascript, PHP and Mysql would be some good researching points.
It would be worth searching for "How to create a PHP Ajax request to auto populate HTML fields"
If you are referring to Auto Complete within a browser this is a local setting which is controlled by the end user or their administrator and from what I am aware from HTML alone you can not manipulate this.
I fully agree with Steve's answer. In addition you might want to check out the following:
http://ajaxdump.com/2010/08/11/10-cool-auto-complete-scripts-using-ajaxjquerymootoolsprototype/
http://www.freshdesignweb.com/jquery-ajax-autocomplete-plugins.html
Hope it will help you
Well i go on and search a lot and then i found this is very simple!!
you just need is to type autocomplete = "on" and give it a name and then make a submit button
the code goes here:
<input type="text" name="Name" autocomplete="on" />
<input type="submit" />
Related
I've researched it and cannot find a standard, dependable way to make a browser prevent autofill and not remember the password in a standard login form.
This is important to me as I'm working on a mobile web app, so if the user clicks logout and someone else gets hold of their phone, the browser shouldn't help them out by just handing them the password!
The only solution I can come up with is to make the password field type="text".
Sure, this would mean people can 'shoulder surf' and see what the user is typing in, but that same person could almost as easily just watch the user's fingers to see what password they're typing in...
I don't think spyware is a real issue here either, as I don't think a type="password" character mask is going to stop a malicious keylogger, etc. from doing its stuff.
So, I'm wondering if there are any other security concerns that I may have missed for using type="text" for a password field?
Maybe if I combined this idea with a dynamic/random 'name' attribute for the input, could I be onto a winner?
NB - The solution needs to be compliant with XHTML Mobile Profile.
Also, please refrain from advising me on what is semantically correct here. My priority is security, not semantics. :)
Bad idea - The browser will remember text fields, it just wont enter them automatically as it does with passwords. Instead it will suggest the password as an autocomplete for all to see. I also think reading a password over someones shoulder is much easier than reading their keystrokes.
The reason some browsers dont respect the autocomplete option for passwords is probably because passwords are handled by a separate (in theory more secure) method for handling/storing password data - obviously by using a text field you are bypassing this system with whatever risks that entails.
I dont think there is a definitive solution that doesnt involve js, since at the end of the day you have no real control over what their browser remembers. You can only provide hints and suggestions. Which will be handled in different ways by different browsers. Your best bet is to start by adding :
autocomplete="off"
to your form and input. Works in most browsers - but not all.
The above would go in your form tag and your password input tag, something like:
<form id="form1_randomstring" name="form1" method="post" action="process.php" autocomplete="off">
<input name="password_randomstring" type="password" value="">
As you said in your question, randomizing the form and input names will also trick some browsers into thinking it is dealing with a different form
Also, browser will be extra conservative about what they remember if you use ssl. So this may help.
Finally, as another layer of protection you could have a little onload jquery to clear the form field manually on docready:
$("input[type='password']").val('');
Obviously no help if not running js.
The Definitive solution (maybe?)
You could go a step further and inject the form field using an ajax call (plus generating the random form names + autocomplete and serving the page through ssl). Meaning js would be a requirement for logon but you could then make sure the field was clear and generate the form after page load. I would challenge any browser to complete it then.
If you went for that option both the outer page and the ajax loaded page would have to run through ssl - If you didnt want this an alternative might be to load the ssl form through an iframe (again trade-offs -user base would need to be considered.)
Depending on your requirements and userbase, this could present the most guaranteed option.
NOTE
Autocomplete="off" may not pass strict XHTML validation. An option then may be to add the autocomplete attribute after page load with jquery (again, obviously this wont work without js enabled):
$('#form1').attr('autocomplete', 'off');
As an added point, The simplest way to prevent a key logger would be to provide a select option drop down box and ask them to enter a letter/number from their password. Practically speaking you would have to limit passwords to alphanumeric and ask the user to enter at least three letters/numbers from their password in a series of drop downs.
Summary
No perfect solution but lots of options, you'll have to consider what is right for you. I would maybe go for the ajax call as the main method. You could initially load a link to the form and dynamically replace it with the ajax content so that there is still an option for non js users (less users compromised by autocomplete)
A registration webpage impressed me by knowing all my name, address, email, telephone number.
This is the first time i visit this website.
I guess that it might remember from other website with same id or name such as id="firstname"
id ="telephone" but i don't know exactly what is going on. How to implement this ?
Edit - Add more information.
I have done nothing, value is just appeared as page load.
This is what i got from view source.
<div class="ui-form-field" id="ohfirstNameField">
<input class="ui-form-field-text ui-corner-all" name="ohfirstName" maxlength="4000" type="text" id="ohfirstName" required="required" value="Sarawut" />
</div>
I have seen that before as well, and here is my theory. I believe the browser is storing basic information for you. A separate website cannot read any cookies not generated by itself (that would be a huge security issue), so that can't be it.
I think it is just a few fields that the browser stores. How to get at them, I am not sure. Is this Google Chrome you're talking about?
You could use OpenId to get a similar effect. The user will be asked, if he allows the authenticating site to his data, but if admits it, you will be able to prefill your form with data from the user.
Is there a way to post some values in a form without using hidden fields?
The user should not be able to read these values by checking the DOM.
You can use hidden fields for posting data. But if you want that the user should not be able to read the values set in hidden field, you can encrypt the value before setting in the hidden field and then set it.
In this way nobody except you, who knows how to decode the value, would be able to read it.
Hope this helps.
AJAX can post any values you like, whether or not they appear in the form.
Well, whatever method you use the data is visible. The way sensitive data can be handled 'safely' on a public webpage is twofold.
Encrypt the data, as other poster mentionned.
Use ssl ( https:// ) for the pages you want secured. This prevents any 3rd party from sniffing the traffic generated by your users requests.
With these 2 simple steps properly implemented, the data, though not 100% secure ( nothing is secure on the net ), it is a lot harder to attain.
Using this two way passworded encryption class
http://www.tonymarston.net/php-mysql/showsource.php?file=std.encryption.class.inc
and following the usage example
http://www.tonymarston.net/php-mysql/showsource.php?file=encryption.php
you can get something like this
http://www.tonymarston.net/php-mysql/encryption.php
Then in your situation you can do this:
<form >
<input type="hidden" name="data value="<?php echo($encryptedData); ?>" />
</form>
or you could do this
<?php setcookie("formdata", $encryptedData, time()+3600); /* expire in 1 hour */ ?>
Then on the other end you can decrypt the data using your password.
If I'm reading your question correctly, no, not really.
If you give something to the user and get it back, the user can modify it.
Why are you in need of this functionality? If you give us some context, I bet you'll get a definitive answer.
I have this code <input type="text" value="destroy" AUTOCOMPLETE="on" /> to enable autocomplete, but it is not working.
Can u tell me any suggestions?
Auto complete is browser based and should be turned on by default. But usually they only store values that were submitted.
BTW here's an old SO post about autocomplete (just for fun)
Depends what you are trying to achieve. The autocomplete you used serves to offer user a choice from what the user himself typed before.
If you want autocomplete such like search engines have, where user is suggested a number of choices he never typed, then you need to use javascript, and also store somewhere data with autocomplete suggestions.
Here's an example:
http://www.pengoworks.com/workshop/jquery/autocomplete.htm
AUTOCOMPLETE="on"
This property is only used by Microsoft Internet Explorer and the default is on. You should only use it to turn it off. If the user turns it off in their browser you can't use it.
I am developing an application in Rails 3 using a nosql database. I am trying to add a "Follow" feature similar to twitter or github.
In terms of markup, I have determined that there are three ways to do this.
1) Use a regular anchor. (Github Uses This Method)
Follow
2) Use a button. (Twitter Uses This Method)
<button href="/friendships/create/">Follow</button>
3) Use a form with a submit button. (Has some advantages for me, but I haven't see anyone do it yet.)
<form method="post" id="connection_new" class="connection_new" action="/users/follow">
<input type="hidden" value="60d7b563355243796dd8496e17d36329" name="target" id="target">
<input type="submit" value="Follow" name="commit" id="connection_submit">
</form>
Since I want to store the user_id in the database and not the username, options 1 and 2 will force me to do a database query to get the actual user_id, whereas option 3 will allow me to store the user_id in a hidden form field so that I don't have to do any database lookups. I can just get the id from the params hash on form submission.
I have successfully got each of these methods working, but I would like to know what is the best way to do this. Which way is more semantic, secure, better for spiders, etc...? Is there a reason both twitter and github don't use forms to do this?
Any guidance would be appreciated. I am leaning towards using the form method since then I don't have to query the db to get the id of the user, but I am worried that there must be a reason the big guys are just using anchors or buttons for this.
I am a newb so go easy on me if I am totally missing something. Thanks!
It's really just based on personal preference. The simple anchor tag is nice and easy, shows clear intent, and is nice and concise. You can just create an AJAX post request with Javascript to make it all happen quickly. The database operation shouldn't be a problem. Even if it eventually will be too slow (though I doubt it), I'd say you're likely doing premature optimization.